The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.
The work that such companies do is a computer version of old-fashioned crime scene investigation, with fingerprints, bullet casings and DNA swabs replaced by an electronic trail that can be just as incriminating. And just as police detectives learn to identify the telltale methods of a veteran burglar, so CrowdStrike investigators recognized the distinctive handiwork of Cozy Bear and Fancy Bear.
Those are CrowdStrike’s nicknames for the two Russian hacking groups that the firm found at work inside the D.N.C. network. Cozy Bear — the group also known as the Dukes or A.P.T. 29, for “advanced persistent threat” — may or may not be associated with the F.S.B., the main successor to the Soviet-era K.G.B., but it is widely believed to be a Russian government operation. It made its first appearance in 2014, said Dmitri Alperovitch, CrowdStrike’s co-founder and chief technology officer.
It was Cozy Bear, CrowdStrike concluded, that first penetrated the D.N.C. in the summer of 2015, by sending spear-phishing emails to a long list of American government agencies, Washington nonprofits and government contractors. Whenever someone clicked on a phishing message, the Russians would enter the network, “exfiltrate” documents of interest and stockpile them for intelligence purposes.
“Once they got into the D.N.C., they found the data valuable and decided to continue the operation,” said Mr. Alperovitch, who was born in Russia and moved to the United States as a teenager.
Only in March 2016 did Fancy Bear show up — first penetrating the computers of the Democratic Congressional Campaign Committee, and then jumping to the D.N.C., investigators believe. Fancy Bear, sometimes called A.P.T. 28 and believed to be directed by the G.R.U., Russia’s military intelligence agency, is an older outfit, tracked by Western investigators for nearly a decade. It was Fancy Bear that got hold of Mr. Podesta’s email.
Attribution, as the skill of identifying a cyberattacker is known, is more art than science. It is often impossible to name an attacker with absolute certainty. But over time, by accumulating a reference library of hacking techniques and targets, it is possible to spot repeat offenders. Fancy Bear, for instance, has gone after military and political targets in Ukraine and Georgia, and at NATO installations.
That largely rules out cybercriminals and most countries, Mr. Alperovitch said. “There’s no plausible actor that has an interest in all those victims other than Russia,” he said. Another clue: The Russian hacking groups tended to be active during working hours in the Moscow time zone.
To their astonishment, Mr. Alperovitch said, CrowdStrike experts found signs that the two Russian hacking groups had not coordinated their attacks. Fancy Bear, apparently not knowing that Cozy Bear had been rummaging in D.N.C. files for months, took many of the same documents.
I’ve had this piece sitting in my to-read pile for a couple of weeks and I’m actually glad I wound up reading it after (some) sanctions were finally put in place in response to the cyberattacks. It’s a terrifying chain of events, obviously, and I’m not sure how more people aren’t concerned by it. The group that should hopefully learn the biggest lesson here is the GOP. While they benefitted this time, the next time it will be their turn on the chopping block.